The cyberattack on Sony Pictures went far beyond the typical corporate hack -- with attackers allegedly leaking huge amounts of data, including personal information about employees and internal company strategy information. The malware reportedly used in the attack also damaged the underlying systems at the company, making recovery much more difficult than other types of corporate cyberespionage.
"These attacks are pretty devastating," said Kurt Baumgartner, principal for security research at Kaspersky Lab. The investigation into the situation could run on for months, and the cleanup will likely cost millions "if not tens of millions," he said.
Baumgartner cited examples such as retailer TJ Maxx, which he says reported over $250 million in cleanup costs from a 2007 hack, and the Target breach from last year, which he expects will probably run over $400 million in cleanup costs. In 2011, Sony's PlayStation Network was hacked, costing the company an estimated $170 million.
The cost to the hack against Sony Pictures is complicated to calculate. The company will have to bring in cybersecurity firms to investigate what happened and invest substantial efforts to get their networks up and running again. The studio will suffer lost revenue from films that were stolen and released online by hackers, and it might face legal costs responding to the needs of former and current employees whose personal information has been exposed. Documents allegedly released by the perpetrators of the digital heist may also put a damper on deals in process, or make some Hollywood stars -- some of whom appear to have had their personal data exposed by the attack -- less inclined to do business with the company.
"In the short term, the danger is how do you clean up," said Allan Friedman, a computer science professor with a focus on cybersecurity at George Washington University. "From a long-term perspective they shouldn't be asking themselves 'What have we lost?' but 'How has our potential to grow been compromised?'"
According to data management company Identity Finder, data allegedly leaked by the hackers contained more than 47,000 Social Security numbers, some belonging to celebrities. And most files containing SSNs included other personally identifiable information, such as full names, dates of birth and home addresses, the company said, which would make it easier to perpetrate identity theft against the victims. Sony Pictures is reportedly providing third-party identity protection services for current employees. But that does little to help former employees whose data was exposed by the hack, as Kashmir Hill at Fusion noted.
The attack, which came to light before Thanksgiving, reportedly left employees around the world resorting to pen and paper to do their jobs.
"The disruption to business is probably the largest direct cost, and in the case of Sony they actually had to shut down their network when responding to the incident," Baumgartner said. "You're talking about a company whose revenue is massive. The cash flow is incredible for these businesses, so to be offline for any period of time is extremely costly."
While some of the company's systems were back online by Monday of this week, reports suggest work to restore their technical infrastructure is ongoing.
"Backups and restores are always a best practice, but not every company follows best practices, and people don't test or verify that their backups are clean," Baumgartner said. In the case of Sony, the company has not disclosed how long attackers were in their system before the attack wreaked havoc on the company. Baumgartner believes that they may have been inside the system for months, adding complexity to the restoration process as investigators ensure the network backups are clean of an attacker's code.
Sony Pictures' internal approach to security may have contributed to the devastating nature of the attack. "It's clear they did not have their networks well segmented, and the attackers could move freely and destroy data," said Baumgartner. Reports indicate the company didn't follow many industry best practices: For instance, passwords may have been saved in clearly labeled files without encryption.
Fusion reports that documents leaked after the recent attack show the company had just 11 people assigned to its information security team: "Three information security analysts are overseen by three managers, three directors, one executive director and one senior-vice president." (Sony Pictures did not respond to requests for comment for this story.)
Jason Spaltro, then executive director of information security at Sony Pictures, called it a "valid business decision to accept the risk of a security breach" in a 2007 interview with CIO Magazine, adding he would not invest "$10 million to avoid a possible $1 million loss."
Deputy Defense Secretary Ashton Carter, President Obama's nominee for the top spot at the Pentagon, has called for private industry to better guard itself against cyberattacks. "There's a market failure in the cybersecurity field," Carter said at an Aspen Security Forum last year, explaining that private companies underinvest in cybersecurity.
Baumgartner doubts even the Sony Pictures breach and the string of retail hacks over the past year will get companies to wake up to their own digital vulnerability. "I think it's going to require lawsuits and more financial losses before companies start to take this seriously," he said.
But there might at least be one financial bright side to the attack for Sony: Rampant news coverage of the attack and the reported link between the hack and North Korean outrage over "The Interview" -- an upcoming action comedy centered on a tabloid journalist being tasked by the CIA with assassinating North Korean leader Kim Jong-un -- gave the movie a lot of exposure.
"I think I'm going to go see it now," Baumgartner said.